Privacy Policy — Train Badger

Effective date: 23 February 2026

1. Who we are

Train Badger is a UK train departure app. The data controller is [PLACEHOLDER_NAME], contactable at [PLACEHOLDER_EMAIL].

2. Data we collect

Data	Purpose	Storage
Email address	Account authentication	Server database
Password	Account authentication	Stored as bcrypt hash only — plaintext never retained
Auth tokens	Session management	Stored as SHA-256 hash — plaintext held only on your device
APNs device token	Push notifications for train status changes	Server database, linked to your account
Pinned service IDs, origin/destination station codes	Service monitoring and push notifications	Server database

We do not collect location data, analytics, advertising identifiers, cookies, or any data beyond what is listed above. Location features (if any) run entirely on-device.

3. How we use your data

• Authentication and session management
• Delivering push notifications about train status changes you've opted into (pinned services)
• Querying National Rail departure data on your behalf

4. Third parties

Third Party	Data Shared	Purpose
National Rail / Huxley2	Station codes, service IDs (no user-identifying data)	Train departure and service data
Apple Push Notification service (APNs)	Device token, notification content	Delivering push notifications to your device

No data is sold, shared for advertising, or transferred to any other third parties.

5. Data retention

• Account data retained while your account is active
• Pinned services automatically deleted after 4 hours
• Auth tokens expire after 30 days
• You can delete your account at any time (see section 7), which immediately and permanently removes all your data

6. Data security

• All connections encrypted via TLS (HTTPS)
• Passwords hashed with bcrypt
• Auth tokens hashed with SHA-256
• Database stored on a secured server with firewall restrictions

7. Your rights (UK GDPR)

Under UK GDPR, you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — delete your account and all associated data (available in-app under Settings, or by contacting us)
• Data portability — receive your data in a structured format
• Objection — object to processing of your data
• Complaint — lodge a complaint with the ICO (ico.org.uk)

To exercise any of these rights, contact [PLACEHOLDER_EMAIL].

8. Changes to this policy

We may update this policy. The effective date at the top will be updated accordingly.